Introduction

To reduce the risk of pulling in embedded content from unknown sites, Microsoft 365 sets a default list of sites and domains that are recognized as safe. The list is found in the HTML Field Security setting for the site collection.

Details of April 2017 update

If you try embedding external content on a modern page by using the Content Embed web part, you may receive the "Embedding content from this website isn't allowed" error message. This error occurs when you try to embed content from a website that isn’t on the list of sites and domains that are found in the HTML Field Security setting for the site collection.

To improve the content embedding experience, the default list of sites and domains has been expanded to include additional, frequently used websites from Microsoft and external services. The added sites include the following:

  • forms.office.com

  • channel9.msdn.com

  • videoplayercdn.osi.office.net (for videos from support.office.com)

  • calendar.google.com

  • www.google.com

This update will occur only for site collections where the HTML Field Security setting uses the default list of sites. (That is, the HTML Field Security setting has not been changed.) Therefore, if you are using the default settings, you will obtain the update automatically.

If you don't want the update, you can change the HTML Field Security setting beforehand to your own custom list. Or, if you have already changed the HTML Field Security settings but you want to add the sites that are in the update, you can manually change the HTML Field setting to include these sites.

To manually change the HTML Field Security setting per site collection, see Allow or restrict the ability to embed content on SharePoint pages.

Details of August 2017 update

The following new domains are added to the default list in the HTML Field Security setting:

  • powerapps.com

  • flow.microsoft.com

  • app.smartsheet.com

  • publish.smartsheet.com

  • www.slideshare.net

  • youtu.be

  • read.amazon.com

  • onedrive.live.com

This update also provides an improvement to how the HTML Field Security setting is configured, which enhances the content embedding experience. To manually change the HTML Field Security setting per site collection, see Allow or restrict the ability to embed content on SharePoint pages

Details of August 2018 update

The following domains are added to the default list in the HTML Field Security setting:

  • www.microsoft.com

  • forms.office365.us

  • Support.office.com

  • embed.ted.com

This update improves the embedding experience of the embed web part. To manually change the HTML Field Security setting per site collection, see Allow or restrict the ability to embed content on SharePoint pages.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.